Firewall services system and method based on virtual network
Technical field
The present invention relates to field of computer technology, more specifically, relate to a kind of a kind of firewall services system and method that realizes virtual network fire compartment wall based on virtual network.
Background technology
The fire compartment wall of legacy network is all generally the border that is deployed in network, on the link that in network, all flows can monitor.To mailing to the packet of internal network, filter, and with reference to the firewall security policy of setting, to package forward or abandon.
In virtual network, in environment, physical network resource is that all virtual network user are shared, but for user, network is to monopolize, and isolates with other users' network.Each user or Business Stream network can have different network security demands according to the service feature of network of oneself, and fire compartment wall is disposed and security strategy has different requirements.Due to the retractility expanded of virtual network, from the angle user's of physical network network boundary, be uncertain, so just cannot dispose in the conventional mode fire compartment wall and provide firewall services for each user.Therefore traditional firewall technology is just difficult to meet the demand for security of virtual network user.
For the problem in correlation technique, effective solution is not yet proposed at present.
Summary of the invention
For the problem in correlation technique, the present invention proposes a kind of a kind of firewall services system and method that realizes virtual network fire compartment wall based on virtual network, utilization is to the deployment of firewall services node and distributed management, thereby realizes the structure of distributed virtual fire compartment wall.
For achieving the above object, on the one hand, the invention provides a kind of firewall services system based on virtual network, comprising: distributed fire wall manager, for obtain all virtual machine network interface messages of user network according to user's network identity; According to virtual machine network interface message, determine corresponding firewall services node; And, user's firewall configuration information and/or firewall security policy are distributed to corresponding firewall services node; Firewall services node, is configured on the OVS switch based on open virtual switch standard OVS, for the data flow by OVS switch being managed according to the user's who receives firewall configuration information and/or firewall security policy.
According to the present invention, firewall services system also comprises virtual firewall module, for user's network identity and corresponding firewall configuration information and/or firewall security policy are set by fire compartment wall operation-interface; And user's network identity and corresponding firewall configuration information and/or firewall security policy are sent to distributed fire wall manager.
According to the present invention, when virtual firewall module also changes for the firewall configuration information as user and/or firewall security policy, the firewall configuration information after changing and/or firewall security policy and user's network identity are sent to distributed fire wall manager.
According to the present invention, virtual machine network interface message comprises that position in managerial grid of OVS switch that virtual machine network interface connects and virtual machine network interface are at the port numbering of OVS switch.
According to the present invention, firewall services node comprises policy module, and it converts data flow con-trol strategy to for the firewall security policy that distributed fire wall manager is issued.
According to the present invention, firewall services node also comprises control module, and the control information that it is sent for monitoring distributed fire wall manager, to carry out control operation or policy module is configured to operation to service node.
On the other hand, the present invention also provides a kind of method that realizes virtual network fire compartment wall, comprising: distributed fire wall manager obtains all virtual machine network interface messages in user network according to user's network identity; Distributed fire wall manager is determined corresponding firewall services node according to virtual machine network interface message; Distributed fire wall manager is distributed to corresponding firewall services node by user's firewall configuration information and/or firewall security policy, and wherein, firewall services node is configured on the OVS switch based on open virtual switch standard OVS; Firewall services node manages the data flow by OVS switch according to the user's who receives firewall configuration information and/or firewall security policy.
According to the present invention, the method also comprises: virtual firewall module, for user's network identity and corresponding firewall configuration information and/or firewall security policy are set by fire compartment wall operation-interface; And user's network identity and corresponding firewall configuration information and/or firewall security policy are sent to distributed fire wall manager.
According to the present invention, according to the user's who receives firewall configuration information and/or firewall security policy, the data flow by OVS switch is managed, comprising: convert user's firewall security policy to data flow con-trol strategy; And according to data flow con-trol strategy, the data flow by OVS switch is managed.
Compared with prior art, beneficial effect of the present invention is:
The present invention passes through at physical machine deploy firewall services node, and service node is carried out to distributed management, realizes distributed virtual fire compartment wall, for each user provides independently virtual firewall equipment of logic thereby build.
In addition, the present invention also can realize the independence of security strategy and user profile, and user's security strategy can not cause interference to others' network.Therefore, the invention solves in virtual network and cannot meet with traditional firewall box the problem of different user demand for security.
Accompanying drawing explanation
Fig. 1 is the structural representation block diagram of the firewall services system based on virtual network according to an embodiment of the invention;
Fig. 2 is the schematic diagram of realizing according to an embodiment of the invention the method for virtual network fire compartment wall;
Fig. 3 is according to the schematic diagram of the method that realizes virtual network fire compartment wall of further embodiment of this invention;
Fig. 4 is the schematic diagram of realizing according to another embodiment of the present invention the method for virtual network fire compartment wall.Embodiment
Below in conjunction with accompanying drawing, the present invention is further illustrated.
As shown in Figure 1, what illustrate is the firewall services system that the present invention is based on virtual network, and this system comprises distributed fire wall manager 10 and firewall services node 20.
Specifically, distributed fire wall manager 10 is for obtaining all virtual machine network interface messages of user network according to user's network identity; It also can determine corresponding firewall services node 20 according to virtual machine network interface message; And user's firewall configuration information and/or firewall security policy are distributed to corresponding firewall services node 20.
Further, firewall services node 20 is configurable on the OVS switch based on open virtual switch standard OVS, for the data flow by OVS switch being managed according to the above-mentioned user's who receives firewall configuration information and/or firewall security policy.
In an optional embodiment of the present invention, firewall services system can also comprise virtual firewall module.This virtual firewall module can be used for arranging by fire compartment wall operation-interface user's network identity and corresponding firewall configuration information and/or firewall security policy; It can also send to distributed fire wall manager 10 by above-mentioned user's network identity and corresponding firewall configuration information and/or firewall security policy.
Further, in a preferred embodiment of the invention, when virtual firewall module can also change for the firewall configuration information as user and/or firewall security policy, the firewall configuration information after changing and/or firewall security policy and user's network identity are sent to distributed fire wall manager 10.
In another preferred embodiment of the present invention, virtual machine network interface message can comprise that position in managerial grid of OVS switch that virtual machine network interface connects and virtual machine network interface are at the port numbering of OVS switch.
Further, in an optional embodiment of the present invention, firewall services node 20 can comprise: policy module and control module.
Particularly, the firewall security policy that this policy module can be used for that distributed fire wall manager 10 is issued converts data flow con-trol strategy to; And aerial module can be used for monitoring the control information that distributed fire wall manager 10 is sent, service node is carried out to control operation or policy module is configured to operation.
On the other hand, as shown in Figure 2, the present invention also provides a kind of method that realizes virtual network fire compartment wall, and the method comprises:
S101, distributed fire wall manager 10 obtains all virtual machine network interface messages in user network according to user's network identity;
S102, distributed fire wall manager 10 is determined corresponding firewall services node 20 according to virtual machine network interface message;
S103, distributed fire wall manager 10 is distributed to corresponding firewall services node 20 by user's firewall configuration information and/or firewall security policy, wherein, firewall services node 20 is configured on the OVS switch based on open virtual switch standard OVS;
S104, firewall services node 20 manages the data flow by OVS switch according to the user's who receives firewall configuration information and/or firewall security policy.
Preferably, as shown in Figure 3, in the present invention, realize in the embodiment of method of virtual network fire compartment wall, the method also can comprise:
S201, virtual firewall module, for arranging user's network identity and corresponding firewall configuration information and/or firewall security policy by fire compartment wall operation-interface; And
S202, sends to distributed fire wall manager 10 by user's network identity and corresponding firewall configuration information and/or firewall security policy.
In addition, as shown in Figure 4, in the another preferred embodiment of method of the present invention, the step data flow by OVS switch being managed according to the user's who receives firewall configuration information and/or firewall security policy can comprise:
S301, converts user's firewall security policy to data flow con-trol strategy; And
S302, manages the data flow by OVS switch according to data flow con-trol strategy.
Specifically, in the present invention, the service node of fire compartment wall is the service module being based upon on OVS basis.First on host, use OVS to substitute original Linux Bridge module, and use OVS to provide the network insertion of two layers for the virtual machine moving on host.OVS carries out forwarding at a high speed to mailing to the packet of virtual machine, forwarding according to being exactly that stream is shown.Wherein, so-called stream table is exactly Openflow switch for a kind of height abstract that forwards rule, and stream table has comprised territory, packet header, counter and action.The content description in territory, packet header for the matching strategy of packet, its content comprises port, source MAC, destination-mac address, source IP address, target ip address, IP agreement, TCP/UDP source port, the TCP/UDP destination interface that packet flows into.
Particularly, stream table information can be set according to demand freely, take that this can provide as switch the forwarding strategy of packet.Firewall services node 20 modules mainly contain two parts and form: the firstth, and policy module, in policy module, preserved the firewall security policy issuing from distributed manager, security strategy is converted to the data flow con-trol strategy of OVS, and strategy is kept in the stream table of OVS; Another one is partly node control module, in node control module, moved a web services, use REST (Representational State Transfer, the transfer of statement sexual state) standard has been issued the control interface to service node, monitor the order that distributed manager is sent, service node is carried out to the configuration operation of control operation and firewall policy.
For fire compartment wall distributed manager, this module be each virtual network abstract logic firewall services independently.When user is configured the firewall services of oneself, configuration information and user's network identity together can be sent to distribution management device.Distribution management device can be according to user's network identity, from network management, obtain virtual machine network interface messages all in user network, the position of the OVS switch connecting comprising virtual machine network interface in supervising the network and interface are at the port numbering of OVS switch.Then distribution management device by the configuration information of user's fire compartment wall according to being distributed to corresponding firewall services node 20, by corresponding firewall services node 20, process firewall policies.
In sum, the present invention passes through at physical machine deploy firewall services node 20, and service node is carried out to distributed management, realizes distributed virtual fire compartment wall, for each user provides independently virtual firewall equipment of logic thereby build.
In addition, the present invention also can realize the independence of security strategy and user profile, and user's security strategy can not cause interference to others' network.Therefore, the invention solves in virtual network and cannot meet with traditional firewall box the problem of different user demand for security.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of doing, be equal to replacement, improvement etc., within all should being included in protection scope of the present invention.